Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article discusses troubleshooting methods for the most common Bring Your Own Key (BYOK) issues on Microsoft Azure Kubernetes Service (AKS).
Prerequisites
Troubleshooting checklist
Step 1: Register a preview feature to enable BYOK on an ephemeral OS disk
To register the preview feature that enables BYOK on an ephemeral operating system (OS) disk (Microsoft.ContainerService/EnableBYOKOnEphemeralOSDiskPreview
), run the az feature register and az feature show commands. For instructions, see Register customer-managed key (preview) feature.
Step 2: Create a cluster that uses BYOK on an ephemeral OS disk
To create an AKS cluster that uses BYOK on an ephemeral OS disk, run the az aks create command. For instructions, see Create a new AKS cluster and encrypt the OS disk.
Note
If you don't specify the --node-osdisk-type
parameter in the az aks create
command, the default OS disk type for the node is Ephemeral
only if the current virtual machine (VM) size supports ephemeral OS disks. For more information, see Ephemeral OS disks for Azure VMs.
Cause 1: Can't enable purge protection in the key vault
If you receive a CreateVMSSAgentPoolFailed
error code and a KeyVaultNotPurgeProtectionEnabled
error subcode, the creation of an agent pool for a virtual machine scale set failed because you didn't enable purge protection when you created the key vault.
Solution 1: Enable purge protection when you create the key vault
Run the az keyvault create command again, and specify a value of true
for the --enable-purge-protection
parameter. For instructions, see Create an Azure Key Vault instance.
Cause 2: Key vault and disk are in different regions when agent pool creation fails for a virtual machine scale set
If you receive a CreateVMSSAgentPoolFailed
error code and a KeyVaultAndDiskInDifferentRegions
error subcode, the key vault and the disk encryption set are located in different regions. The key vault and disk encryption set must be in the same region.
Solution 2: Use the same region as for the disk when you create the key vault
Run the az keyvault create command again, and make sure that the value that you specify in the --location
parameter is the same region that you used for the disk encryption set. For instructions, see Create an Azure Key Vault instance.
Cause 3: Disk encryption set isn't granted
If you delete the disk encryption set permission for the key vault, the AKS cluster node won't run. In this situation, you receive the following error message in the disk encryption set page of the Azure portal:
To associate a disk, image, or snapshot with this disk encryption set, you must grant permissions to the key vault.
Solution 3: Update the security policy settings
Update the security policy settings again by running the az keyvault set-policy command. For instructions, see Grant the DiskEncryptionSet access to key vault.
Reference
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.